Implied cat stroking and ominous button pushing
"As Xenotime matures, it is less likely that the group will make this mistake in the future."
Somebody is having a bad time about now.
While this week was dominated by news of a new Spectre variant, the VPNFilter botnet, and TalkTalk's badbad routersrouters, plenty of other stories popped up. Here are a handful of security happenings that you may have missed. Wireless Z-Wave smart-locks, home IoT devices menaced Wireless gadgets, such as home smart locks, …
'We kindly request that you follow this link HERE and sign in with your email to view this information from (name of accounting association) to all active members. This announcement has been updated for your kind information through our secure information sharing portal which is linked to your email server'."
Beancounters you say? Is it the BOFH who sent this?
A thing to note about the whole Z-wave security issue (quite well emphasized in the original source, strikingly less so in the article) is that a huge portion of the quoted <whatever large number> z-wave devices worldwide have not the faintest clue that secure z-wave even exists, full stop. And yes, that includes a fair number of the ones being sold right now. And some of those that do have to be specifically instructed in a special way to use any security at the time you add them to your network, by using a different procedure than what you'd normally use for a no security join (you did read the leaflet all the way to the end, right?).
More to the point, there are currently more unicorns in the world than S2-capable devices - specifically, a search of the central registry of z-wave compliant products is right now yielding a grand total of 6 (six) controllers that support it (also pointed out in the original source) - whatever you have now or see in any store you can think of is going include none of them.
Finally, the "downgrade option" is not so much a bug-type vulnerability but rather just intended interoperability - in the sense that a device that
reports gets jammed and spoofed to "report" no support for the S2 mode is accepted to join in a less secure mode; yes, this may not be desirable but the alternative is "this controller only works with S2-capable devices (all fifty or so of them) and DOES NOT with anything S0 or less - boy I sure do hope you know what all those terms are" which is utterly anathema to the "most z-wave stuff typically just works with any other z-wave stuff, of any generation" foundational z-wave principle. I don't see anything like that selling all that well...
Biting the hand that feeds IT © 1998–2020